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Welcome to the Qualys Consulting Edition 


Qualys Consulting Edition provides consultants, auditors, and managed service providers 
(MSPs) with the ease of use, scalability, precision and centralized management of the 
Qualys Cloud Platform. This guide is intended to highlight the unique features of the 
Qualys Consulting Edition and walk you through the initial set up steps. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com. 


Contact Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/. 
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Get Started 


The main addition to the Qualys Consulting Edition is the Networks feature, which is the 
cornerstone of multi-tenancy within the platform. Because of this, the first step when 
starting with Consulting Edition is to add a network for your clients. This feature silos 
network space for your individual clients and prevents the overlapping of data for assets 
which share the same IP address. Generally, this is only necessary for client engagements 
in which you are performing an ongoing assessment. 


The Clients Tab associates individual scan instances with the applicable client. This will 
aid in keeping data organized between all your clients and is especially useful for clients 
who require ad hoc or periodic scans. 


Here’s the starting workflow of the platform: 
Define networks 

Add assets 

Create asset groups (manage networks from here) 
Add a Virtual Scanner Appliance 

Configure scan settings 


Setup host authentication 


Run/Schedule scans 


Define networks 


Consultants can manage overlapping IP ranges within a single Qualys subscription. Define 
discrete private networks for each client to keep overlapping blocks isolated from each 
other. This allows you to easily manage ongoing engagements with clients and track 
trending information without confusion between environments. 


Go to Assets > Networks > New > Network (Manager only), and give your network a 
friendly name. Save the network. We'll add appliances to it later. 


The Global Default 
Network is used to scan 
assets that do not 
belong to custom 
networks. Want to scan 


© Qualys. Consulting Edition 
| Vulnerability Management Y 


Dashboard Clients Scans Reports Remediation Assets KnowledgeBase Users 


t= Assets | Asset Groups Host Assets Asset Search Virtual Hosts Domains Networks 

p your network 
| (beni) (ent d , 
Network perimeter? You'll need 
w Created By | 

Downed... | to choose the Global 

orevarucraunnetwork (default) System 
Default Network. 
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Add assets 


You'll need to tell us the IPs/ranges you want to scan and report on. Go to Assets > Host 
Assets. From the New menu, select IP Tracked Hosts, DNS Tracked Hosts or NetBIOS 
Tracked Hosts. The tracking method you choose will be assigned to the hosts being added. 


© Qualys. consuiting edition Tip - By default we track hosts by 
IP address. You may want to use 
DNS or NetBIOS tracking if the 
hosts on the network are assigned 
= Assets | Asset Groups Host Assets Asset Search Virtual | IP addresses dynamic ally through 
New v.) [Sean] (rines v DHCP. 


IP Tracked Hosts... 
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Dashboard Clients Scans Reports Remediation Assets 


DNS Tracked Hosts. 


[7] Info Tracking |.isios Tracked Hosts. | 


Download. 


Jump to the Host IPs tab. Enter the IPs you're adding, and click Add. That's it! The new IPs 
will appear on your Host Assets list and they'll be available for scanning. 


New Hosts p. Ox 


Tip - You can keep the Global 
Default Network selection. New 
IPs will be available to all 
networks regardless of your 
selection. 


192 168. 68.0.92 - 
cae 


Which users can add assets? 
Unit Managers can be granted the Add Asset permission. In some subscriptions, including 
consultant subscriptions, Scanner users can also be granted this permission. 


The asset being added to an asset group should be a part of the Unit Manager's business 
unit or assigned to the Scanner user. 
Not sure which IPs to add? 


Launch a map to discover live devices on your client’s network and add those IPs to your 
account from the map results. Go here to learn how. 
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Create asset groups (manage networks from here) 


Create asset groups and associate them with your network. Go to Assets > Asset Groups > 
New > Asset Group. Give your group a name, select a network, and then add assets to it. 
We recommend you create an asset group for each client, such as Client A, Client B, etc. 


Tip - Each asset group can be associated with only one network. Once the asset group is 
saved, you cannot change its network assignment. 


New Asset Group LaunchHelp [al x 


Asset Group Title 
IP Hosts 


IPs > Use the selections below to designate which hosts this asset group will contain 


quem Enter or Select IPs/Ranges: Select IPs/Ranges | Select Asset Group | Remove | Clear 


10.10.10.180-10.10.10.181 
Business Info 


Comments 


[7] Display each IP/Range on new line 


Add a Virtual Scanner Appliance 


Add virtual scanners for internal scanning. Then go back to the networks you already 
created and add appliances to them. 


Go to Scans » Appliances and select New » Virtual Scanner Appliance. 


© Qualys. Consulting Edition 
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Dashboard Scans Reports Assets  KnowledgeBase Users 


[3] Scans ^ Scans Maps Schedules Appliances Option Profiles 


| New v | | Search 
Scanner Appliance. 
Virtual Scanner Appliance... 


Replace Scanner Appliance. 


Download. 
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Click Start Wizard and we'll walk you through the steps. 


You have 983 virtual scanner license(s) available. Choose one of the options below to get started 


Get Started Download Image | Have My Image 
Only 
Help me to select the right | want to download the I'm ready to complete the 
virtual image and configure virtual image now and configuration of my scanner. 
my scanner. configure my scanner later. 


pem (contin >) 


Complete the 

Activate Your Virtual Scanner configuration using the 

Configure your scanner and activate it using the personalization code below. For virtu al SC anner C onsole Or 

more help, review the configuration guide for step-by-step instructions. è í 
cloud platform (this is 

Virtual Scanner Name when you'll need the 

€ personalization code). 


Personalization Code 
Need help configuring your virtual scanner? 
(15466090055726 17:5. ne auars commun 


Enter your personalization code 


Check Activation: ~ 


Be sure activation is successful 


Your appliance needs to make a connection to our cloud platform. You'll see the friendly 
name and IP address when the activation is complete. It may take a few minutes for the 
appliance activation to occur. 
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Check your virtual scanner status 


Your appliance must be connected to our cloud platform. Go to Scans > Appliances to 
check your appliance status. Select your scanner and you'll see the preview pane. 


Scans Maps Schedules Appliances Option Profiles Authentication Search Lists Setup 


1-10f1 uy 
4 ID LAN IP. Polling Scanner Signatures Last Update 
m 70343780380320 10.100.16.107 180 seconds 10.245-1 24369-1 07/06/2018 at 11:28:07 (GMT-0700) | @ (2) 
Preview | Aclions.: V. 


Owner. Irina Starsky (Manager) | Conn: d on: 07/06/2018 at 13:57:54 (GMT-0700) | Verified on: 07/06/2018 at 13:58:03 (GMT-0700) | Connected 


Summary: The appliance is online and its software versions are up to date 
Hearbeat Checks Missed Latest Scanner Version Latest Signature Version Available Capacity 


0 10.2.45-1 2.4.369-1 100% 


Ò 


1- @ tells you the virtual scanner is ready. Now you can start internal scans! Next to this 
you'll see the busy icon is grayed out until you launch a scan using this scanner. 


2 - This shows you it’s a virtual appliance. 
3 - Latest software versions - these are installed as part of the activation. 


4 - The available capacity will be 100% until you launch a scan. 


Add the scanner to a network 


Go to Assets > Networks, identify the network you're interested in and choose Edit from 
the Quick Actions menu. Then go to the Scanner Appliances tab to add your appliance to 
the network. 


Edit Network Launch Help x 


Network Title 
Scanner Appliances 


Scanner Appliances > Assign the scanner appliances you'll use to scan this network. We'll remove each appliance from its 


previous network and asset groups (if any) before adding the appliance to this network. 

Comments 
Tip - Removing an appliance from a network could impact your scans. We recommend you click the 
appliance name in the listto see its associated asset groups, and update your network configurations if 
needed 


Appliances My. Scanner (Global Default Network) 


Name 


My. Scanner (Global Default Network) 


Good to Know 


- The scanner appliances you assign to the network will be used to scan the IP addresses in 
the network. 
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- Each scanner appliance can be included in only one network. That means when you add 
a scanner appliance to a network, it will be removed from its previous network and any 
asset groups that it belonged to, if applicable. 


- Be sure the scanner appliances you add to the network will be able to phone home to the 
Qualys Cloud Platform and can access the IP addresses that you will be scanning. 


Configure scan settings 


An option profile includes scan settings that you'll choose at scan time. We provide the 
"Initial Options" profile to get you started but you can also create your own. Go to Scans » 
Option Profiles. Create a profile from the New menu or edit a default profile to save a copy 
with customized settings. 


© Qualys. Consulting Edition 
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Dashboard | Scans Reports Assets KnowledgeBase Users 


a Scans | Scans Maps Schedules Appliances Option Profiles Authentication 
New v. | | Search| | Fiters v 
O § Title 
® Copy of Initial Options (default) | 
E| © Initial Options 
[7] © 2008 SANS20 Options 


E & Qualys Top 20 Options 


Setup host authentication 


Using host authentication (trusted scanning) allows our service to log in to each target 
system during scanning. For this reason we can perform in depth security assessment and 
get better visibility into each system's security posture. Running authenticated scans gives 
you the most accurate results with fewer false positives. How to setup authentication: 


Enable authentication in the option profile 


In the option profile, go to the Scan tab, scroll down to Authentication, and select each 
type of authentication you want to use. We're always adding new technologies. 


Authentication 


Authentication enables the scanner to log into hosts at scan time to extend detection capabilities. See the online help to learn 
how to configure this option. 


[v] Windows 
[v] Unix/Cisco 
[7] Oracle 
[7] Oracle Listener 
[7] SNMP 
[7] VMware 
F DB2 
] HTTP. 
7] MysQL 
E Tomcat Server 
[7] MongoDB 
[7] Palo Alto Networks Firewall 
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Add authentication records 


Add authentication records for the host technologies you're interested in. Go to Scans > 
Authentication and create new records from the New menu. For each record you'll provide 
login credentials that our service will use to log in to each host at scan time. 


© Qualys. Consulting Edition 


Vulnerability Management . EA fey Help:w Patrick Slimmer (quays_ps) w Logout 


Dashboard Scans Reports Assets KnowledgeBase Users 


‘= Scans | Scans Schedules Appliances Option Profiles Authentication Search Lists Setup 
=] | Search 
Show Graph 
x [New v) 1-2of2 öv 
7] Type a Title IPs #1Ps Modified Owner Details 
[7] Unix Unix 10.10.10.180-10.10.10.181, 10.10.24.11, 10.. 13 06/28/2018 Patrick Slimmer (Manager) Details 
E] windows windows 10.10.10.180-10.10.10.181 2 06/28/2018 Patrick Slimmer (Manager) Details 


Run/Schedule scans 


Go to Scans » Scans » New Scan. (Want to schedule your scan?) 


Vulnerability Management Y 


Dashboard Clients Scans Reports Remediation 


Maps Schedules Appliances 


EC2 Scan 


Schedule Scan 


Schedule EC2 Scan 


Host » 
Asset Group. 
Option Profile 


Download. 
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Choose your scan settings. 


) Launch Vulnerability Scan od H 


{ General Information i 


Give your scan a name, select a scan profile (a default is selected for you with recommended selfings) and choose a scanner from te Scanner Appliance menu Kx intemal 
scans, if visible 


Tive VM scan for Ghent A 


Client * e Patrick Simer (Chent A) [v] ^w create 
OpoonPreaie:” (G) inen cotone (defaut) "* Seles 
Processing Pricety 0-NoPrerty [s] 
Network Q Ghent A Network IM 
scene soar (O | eene Iz 
Choose Target Hosts from 
Tell us which hosts (IP 3dóres5e4) you wantto scan 
@ Assets Tags 
eor Dy neni x Ow) “hated 
IPs Ranges "i Seles 
21108 047.T82 60 2.32. 192 168 5.35 
Exclude IPsiRanges "a Salad 


Notification 


Send notiicaton when this scan is finished. 


(1) Client - Choose the client you want to scan. Click Create to add a client at this time. 
You'll provide client information like name, email and company address. 


(2) Option Profile - You can select one of the default profiles provided or a custom profile 
that you previously saved. 


(3) Network - Choose the network you want to scan. You can scan one network at a time. If 
you didn't set up networks then you won't see this option. 


(4) Scanner Appliance - If you added a virtual scanner then you can choose the scanner for 
an internal scan. If you don't have a scanner, we'll use external scanners for a perimeter 
scan. 


(5) Scan Target - Click Assets to select a combination of asset groups and IP addresses to 
scan. Or Click Tags to select one or more asset tags to scan. 


That's it - just click Launch and you're done. 


You'll see your scan in the scans list where you can track its progress. 


Vulnerability Management v É] Help vw | Patrick Simmer (quays ps) | Logout 


Dashboard Scans Reports Assets  KnowledgeBase Users 


(3) Scans Scans Maps Schedules Appliances Option Profiles Authentication Search Lists E > 


vo [New vw || Search | | Fitters v ] | 1-10f1 p #v Gia 


Title Client Targets Reference Date > Status 


@ vM scan for client A Client A 10.10.10.10-10.10.10.100 scan/1536688119.75959 ^ 09/11/2018 Finished m 


(€ means results are processed and available in your account. 
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O means the scan is finished but the results are not processed. Go to Filters > Processing 
Tasks to see the status. 


Want to schedule your scan? 


You can schedule the scan to run Daily, Weekly or Monthly. Just choose New > Schedule 
Scan. Like with an on demand scan, you'll select the client, an option profile, scanner 
appliance and target hosts. You'll also need to tell us when you want the scan to start and 
how often it should run. Make these settings on the Scheduling tab. 


New Scheduled Vulnerability Scan 


T ue» 
) Unted States, Calfomia (Pacfc Standa |. V! OST 


minutas 


Go to the Notifications tab if you want to be notified by email before the scan starts or 
when it's finished. You can even customize the message included in the email body. 


New Scheduled Vulnerability Scan A Note - You are the task 
owner. Notifications will 
be sent to the email 


Enable email 


eene i] Un M^ notifications address saved in your 
(off by default) account. 


vents 
Well nobly ine taak owner 


Custom Message 


The ema will always include info like the tite. owner option profile and start me 


ustom message 


A Qualys scan & sched 


Custom message for emad sent after scan completes 


^ Quays scan & finished. 
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Hit Save to save your scheduled scan. It will appear on the Schedules list. When the scan 
starts running (at its next scheduled launch time) you'll see it on the Scans list where you 
can track the status and view results when it's finished. 


Vulnerability Management v rcs} Help w | Patrick Slimmer (quays ps) w | Logout 


Dashboard Clients Scans Reports Remediation Assets KnowledgeBase Users 


Scans Scans Maps Schedules Appliances Option Profiles 


Authentication Search Lists Setup 


v [New v || Search | | Filters vv 


] |1-1of1 


|) (V Type Title Client Targets Scanner Next Launch a Modified 


Previous Duration 


A @@ Weekly Scan for Client A ClientA Client A External 


09/16/2018 at 01:00:00 (GMT-0700) 09/11/2018 at 11:13:13 (GMT-0700) Not Available 
Group Scanner 


View scan results by client 


Go to your Clients list to see all scan instances conducted for all of your clients in one 
location. Quickly view scan results for any client by clicking the "Show scans” link 


© Qualys. Consulting Edition 
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ÈZ Help | Patrick Simmer (quays ps)w | Logout 


Dashboard Clients Scans Reports Remediation Assets KnowledgeBase Users 


‘= Clients 


| New w | | Search | 


Client Name Last Updated Scans Created Details 


ClientA 


08/31/2018 at 04:32:44 PM (GMT-0700) 1 08/31/2018 at 04:32:1.. Show scans 
Client B 08/31/2018 at 04:33:29 PM (GMT-0700) 0 08/31/2018 at 04:33:2... No scans found 
Client C 08/31/2018 at 04:34:19 PM (GMT-0700) 0 08/31/2018 at 04:34:0.. No scans found 
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PCAP Scans 


With a PCAP Scan you'll get vulnerability scan results plus a PCAP (Packet Capture) file 
that contains all TCP network traffic captured between the scanner and the target host. 


Good to Know 


- The PCAP Scanning feature must be enabled for your account. Please contact your 
Technical Account Manager or Support to get it. 


- Ascanner appliance (physical or virtual) is required. 
- You can scan one IP address at a time. 
- The PCAP file will be available for 7 days. You'll need a PCAP Viewer to read file contents. 


Start a PCAP Scan 
Go to Scans » New » PCAP Scan. 


Vulnerability Management — ¥ 


Dashboard Clients Scans Reports Remodiation 


[3] Scans 


Give your scan a name, select a client, select an option profile, and choose a scanner 
appliance. Then tell us the host you want to scan (a single IP) and click Launch. 


Launch PCAP Scan 


Important - The scanner 
appliance you use will not be 


About Your PCAP Scan 


With thes sc. get vulnerabáty scan resus and a PCAP (Packet Capture) file tat contains all TCP network traffic captured 
M between the target host The PCAP file is available for 7 days. 


| available for any other scan 
€ Kiima namaa T e t a o iri S nd tm tasks until your PCAP scan is 
finished. Scan processing may be 
| General Information || 
omi you scan a name selecta acan prot acutis selecta tor youi ana croone a scanner applance torne Scanner | delayed for other scans. 
Patrick Simmer (Ghent A) [v] "à Create 
peon Proma * taht Sar asea When the scan is finished, you 


can view scan results and 
download the PCAP file. Choose 

uM z) Pm PCAP File from the Quick Actions 
Choose a Target Host menu. After 7 days the file is no 
Tn ot ne NOH IU NU se FW CHR PEU ene naan as longer available for download. 
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Discover Your Network 


Launch maps to discover network devices and report comprehensive information about 
them. After discovering live devices on a network you can add them to your account and 
start scanning them for vulnerabilities. 


Add domains for mapping 


Qualys uses a domains concept for its network mapping process. “Domain” in this context 
is our name for a DNS entry, for a netblock, or for a combination. Go to Assets > Domains 
and select New > Domain. 


© Qualys. Consulting Edition 
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Dashboard Scans Reports Assets KnowledgeBase Users 


= 
a= Assets | Asset Groups Host Assets Asset Search Virtual Hosts Domains 
| New w | | Search | 
n " l Domains... 

Download. 


Enter one or more domains and netblocks (see the help for proper formatting). Click Add. 


| 
| New Domains 


E ... 


Entar domains and netbiocks in me telg below See Me Help for proper formating 


*7 ouaketes com 


Qualys provides a demo domain called “qualys-test.com” for network mapping. This 
domain may already be in your account. If not you can add it yourself. Note that the 
devices in the demo domain reside in Qualys Security Operations Centers, so the Qualys 
Internet scanners can be used for mapping this domain. 


Start your map 
Go to Scans > Maps, then select New > Map (or Schedule Map). 


Vulnerability Management {v 


Dashboard Scans Reports Assets KnowledgeBase Users 


(3) Scans | Scans Schedules Appliances Option Profiles 
v |New w | | Search| | Fittes w 
Map... 
| Schedule Map. 


C Title 


Domain. 
Asset Group. 
Option Profile. 


Download. 
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Choose your map options. 


Launch Map Launch Help 


| 
" To launch a map selectthe targets you wantto discover and specify the map's settings. 


| General Information | 


| Give your map a name, select a scan profile (a defaultis selected for you with recommended settings), and choose a scanner 
from the Scanner Appliance menu for internal scans, if visible. 


Title: My First Map | 
Option Profile: Copy of Initial Options (default) [-] B View 
Network Global Default Network [v] 


| Target Domains 
| 


| Tell us which domains and IPs to map. A separate map will be launched for each target. 


Asset Groups Select items... ek *k Select 
Assets from Asset Groups [V] Domains 
[E] iPs 
| Domains / Netblocks qualys-test.com *h Select 


qualystest com 
www.qualys-test.com:[192,168.0.1-192.168.0.254] 
10.10.10.10-10.10.10.15 


Launch Cancel 


L 


Option Profile - Choose an option profile with the map settings you want to use. Tip - For 
mapping IPs/ranges without a domain, be sure to enable the map option “Perform live 
host sweep” in the option profile applied to the task. 


Target Domains - Specify any combination of asset groups, domains and IPs/ranges for 
your map target. Enter asset groups in the Asset Groups field, and enter domains and IPs 
in the Domains/Netblocks field. 


We'll create a separate map report for each target. That means we'll create a separate 
map for each domain plus a map for any IPs entered. These maps will run sequentially - 
one at a time - and each map will use a single scanner appliance. 


When the map status is Finished, choose View Report from the Quick Actions menu. 


Vulnerability Management Y ei Help w | Patrick Slimmer (quays_ps) w | Logout 


Dashboard Scans Reports Assets  KnowledgeBase Users 


(3) Scans | Scans Schedules Appliances Option Profiles Authentication Search Lists Setup 


New w | | Search | | Fitters w ] | 1-1of1 plv gag: 
m 


C! Title Targets Launched User Reference Date > Status 


My First Map ©] PatickSlimmer ^ map/1531172698.48289 07/09/2018 at 14:44:58 (GMT-0700) Finished 
View Graphic Mode 
View Report 
Download 
Relaunch 
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In the Results section you'll see a list of the hosts detected on the mapped domain. For 
each host, you'll see the IP address, DNS and NetBIOS hostnames, the router being used by 


the host and the operating system. 


Map Results a 


i 


Filey View» Help% 


Actions: Add to a new Asset Group ¥ 


© Qualys. Consulting Edition 


m 


Map Results July 09, 2018 
Patrick Slimmer Qualys, Inc. 07/09/2048 at 15:12:22 (GMT-0700) 

quays ps 919 E Hillsdale Blvd, Floor 4 Sort By: IP Address 

Manager Foster City, California 94404 

United States of America 

Report Summary 

Domain: qualys-test.com 

Map: 

Type: On demand 

Status: Finished 

Title: My First Map 

Launch Date: 07/09/2018 at 14:45:38 (GMT-0700) 

Reference: map/1531172698.48289 

Duration: NIA 

Total Hosts Found: 37 

Scanner Appliance: 10.10.21.184 (Scanner 10.2.45-1, Vulnerability Signatures 2.4.370-2) 

Option Profile: Copy of Initial Options 

| 

Results 
qualys-test.com (57) 
| Ore DNS NetBIOS Router os AS L N 
p E 10.1.11 fw.qualys-test.com Cisco IOS 12 L 

>» ©) 1011.2 ws1.corp.qualys-test.com WS1W2K 10.1.1.1 Windows 2000 L 

> E] 101.13 'ws2.corp.qualy-test com WS2W2K 10.1.1.1 Windows 2000 L 

> 10.1.1.5 10.1.1.1 D-Link Wireless Access Point L 

> E] 101.18 hplazerjet.corp.qualys-test.com 10.1.1.1 HP JetDirect L 

p O 103.110 dhcp.corp.qualy-test.com 10.1.1.1 Linux L 

> O 103.111 app.corp.qualys-test com APPW2K 10.1.1.1 Windows 2000 L 

>» E 10.1.1.13 proxy.corp.qualys-test.com 10.1.1.1 Linux L 

p E 10.2115 wk7 frcorp.qualys-test.com wk7w2k3 10.1.1.1 Windows 2003 Service Pack 2 L e 


Map Results 


Filey Viewr Help 


Actions: Add to a new Asset Group Bi Apply 


f 
| Add to a new Asset Group 
| Add to Asset Groups 

| Remove from Asset Groups 


Eee DO Eciton 


| Schedule Vulnerability Scan 
Maj Edit 


Patrick į Purge nc. 

quays | lisdale Blvd, Floor 4 

Manage. Add tisubscrpson ity, California 94404 
United States of America 


Map results are closely integrated with scan 
capabilities. There are several actions you can 
perform on the hosts listed in your map results. 
For example, you can scan hosts right away, you 
can add newly discovered hosts to your account. 
Select the check box next to each host to include 
in the action, select an action from the Actions 
drop-down menu (at the top of the report), and 
then click Apply. 
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Map Results 


Filer | View» | Help 
Expand All 
Collapse All 
Graphic Mode 


9 Qualys. consulting Edition 


Map Results 


Patrick Slimmer Qualys, Inc. 

quays_ps 919 E Hillsdale Blvd, Floor 4 

Manager Foster City, California 94404 
United States of America 


Qualys Consulting Edition 
Get Started 


Go to View > Graphic Mode to change the format of 
your map results to graphic mode. 


Your map results will appear in a graphical view like shown below. Use the Summary on 
the left to drill-down into results or enter a search query at the top of the page. 


Map Results: My First Map Turn help tips: On| Off Launch Help 
Domain: qualys-test.com =|| Search results by IP a Hostname, or use filters 
g 
Results are listed with the total number of findings 
| sorted by IP address. 0 v| (goce 
Total Hosts in Domain - 
i 
wap 
& 
New Hosts Tei um 
l 8 
57 demot3 e G e Q 
e damp s mz (8) D 
New 57) Approved B r^] on 3. a Q 
Soh amo f ) proxy 
Scannable @Ð ive B sad demon2 G & = ions 
A f gam [^] wwe 
a m 
InNetbiock @Ð Rogue 57 MR amu. m wi A) 4 e 
8 Q aw = 
Operating System Families demods e Me Dr] 
e A - =n 
4 E d 9 = 9 
J & So. Fem qualys-test.com (5) f 
demo)! ^ demons e A 
"Ü o wst 
A 
= ø Q = 
óemo3 demo? 
T g e 
O Q - \ 
/ Wind ^ Li demos demo? 
mos E) hu — €D Se hs Q 
demos demos 
€ Other ED) ruwer B = e 
demos demo! 
9 g og 8 
l demos demos 
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Deploy Cloud Agents 


Using our revolutionary Qualys Cloud Agent platform you can deploy lightweight cloud 
agents for continuous security and compliance assessments. Group agents using asset 
tags that are based on the asset groups you created for your clients earlier. 


Overview 


With Qualys Cloud Agent you'll get continuous network security updates through the 
cloud. As soon as changes are discovered on your hosts they'll be assessed and you'll 
know about new security threats right away. All you have to do is install lightweight 
agents on your hosts - we'll help you do this quickly! 


Install lightweight agents in minutes on your IT assets. These can be installed on your 
on-premise systems, dynamic cloud environments and mobile endpoints. Agents are 
centrally managed by the cloud agent platform and are self-updating (no reboot needed). 


Scanning in the Cloud We'll start syncing asset data to the cloud agent platform once 
agents are installed. Agents continuously collect metadata, beam it to the cloud agent 
platform where full assessments occur right away. Since the heavy lifting is done in the 
cloud the agent needs minimal footprint and processing on target systems. 


Stay updated with network security Scanning in the cloud uses the same signatures 
(vulnerabilities, compliance datapoints) as traditional scanning with Qualys scanners. 
You'll get informed right away about new security threats using your Qualys Cloud 
Platform applications - Vulnerability Management (VM), Policy Compliance (PC), 
Continuous Monitoring (CM), AssetView (AV) and more! 


What do I need to know? 


There are a few things to know before you install agents on hosts within your network. 


We recommend these resources 


Cloud Agent Platform Introduction (2m 10 s) 
Getting Started Tutorial (4m 58s) 

Qualys Cloud Platform 

Qualys Cloud Agent Getting Started Guide 


Cloud Agent requirements 
- We support: Windows, Linux/Unix (.rpm), Linux (.deb), Apple Mac OSX (.pkg) 


- Your hosts must be able to reach the Qualys Cloud Platform (or the Qualys Private Cloud 
Platform) over HTTPS port 443. Go to Help > About for the URL your hosts need to access. 
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"T 


- To install Windows Agent you must have local administrator privileges on your hosts. 
Proxy configuration is supported 


m, 


- To install Linux Agent, Unix Agent, Mac Agent you must have root privileges, non-root 
with Sudo root delegation, or non-root with sufficient privileges (VM scan only). Proxy 
configuration is supported. 


Steps to install agents 
- Create an activation key. This lets you group agents and bind them to your account. 


- Download the agent installer to your local machine. 


- Run the installer on each host from an elevated command prompt, or use group policy or 
a systems management tool. 


- Activate agents for modules in your subscription (i.e. VM, PC, etc). A license will be 
consumed for each agent activated. 


Get Started 
Select the Cloud Agent app from the app picker. 


Vulnerability Management v 


AssetView Bil 
Cloud Agent 


Vulnerability Management FRUAS 
MAE tap and scan your k, prioritize your critical 
vulnerabilities and fo 
TRIAL 


Threat Protec 

TP - teli your existing 
Policy Compliance 

PC D d monitor T se dards aligned witi 


Check out the Quick Start Guide (you can go to user name menu and select this option 
anytime). You'll see step by step instructions with links to the right places to take actions. 


tion 
gen 


Cloud Agent v 


Dashboard Agent Management 


Welcome to Qualys* Cloud Agent Platform 
Thank you for signing up for our revolutionary new platform that gives you continuous network security updates through the cloud using lightweight agents. It's 
easy to get started! 


Get started with these quick steps See your agents > 


Become an expert in no time. 
Learn how it all works, what you will need and which preliminary steps you can take. 


9 eo Cloud Agent Overview » 


EJ Download & Install Agents > 
This step will help you create activation keys and set up agents. Already have an activation key? 
Click here 
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It's easy to install agents 
It just takes a few minutes to install an agent. Our wizard will help you do it quickly. 


You'll need an activation key. Select New Key to create one.This key provides a way to 
group agents and bind them to your account. 


Cloud Agent {v d Help w Patrick Slimmer w Log out 


Dashboard Agent Management 


& Agent Management Agents Activation Keys Configuration Profiles 
Saved Searches * 
e Search 
s) an) (Acitvatondots 


Agent Host Version Status/Last Checked-in v Configuration Agent Modules Tags 


Ready to install cloud agents? 


You'll need an activation key to get started. 


Click here to get 
started 


Talready have keys 


We recommend you create different keys for different clients. Give your key a name (e.g. 
Client A) and assign the key an asset tag (e.g. Client A). We'll automatically add the same 
tag to the agents installed using that key. 


Did you know? We've defined certain tags for you. You'll have one asset tag for each asset 
group in your account. That means if you created asset groups for your clients (Client A, 
Client B, etc.) then you already have asset tags for your clients. 


Next, provision the key for the VM application. If you have additional apps like PC, FIM and 
IOC then you'll see them listed as well. Click Generate. 


New Activation Key Tum help tips: On JOf — X 


Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Add Tags to Include 


client] | 


(no tags selected) 4 ( Asset Groups 
© Clients 


© Cliente 
Provision Key for these applications © Clientc 


Title Client A 


Select | Create 


© Client a 
= Vulnerability Management Policy Compliance 
= 100 Licenses Remaining CO Mal o0 Asset Groups > Client A 


Click here to 
generate the key 


+. 


u 


Unlimited Key 


E Set limits 
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Review requirements and click Install Instructions for the target agent host. 


New Activation Key 


New activation key generated successfully 


hosts 


Activation Key 


Key Type Unlimited key 


Installation Requirements 


L1 Windows Windows Client Versions 


C] (exe) Windows Server Versions 
Red Hat Enterprise Linux 
CentOS 
Linux Fedora 
A OpenSUSE 
(rpm) SUSE 
Amazon Linux 
Oracle Enterprise Linux 
(eo Linux Debian 
(.deb) Ubuntu 
2 Mac OSX 
es (.pkg) 


@ AIX IBM AIX 
(rpm) 


Close 


935b *-m co ut abun tinet o 


Turn help tip | Off 


Give your key a name and add tags to easily find agents installed using this key. Well associate the tags to the agent 


Install instructions | 


Install instructions | 


Install instructions | 


Install instructions 
Febra 


Install instructions | 


You'll download the agent installer and run it on your hosts. To run the installer you just 


copy and paste the command shown - it's that simple. 


| New Activation Key 
f 


You are ready to install the agent. 


Current agent version: 1.6.4.9 
Hash-SHA-256 : 0b6782' 


Deploying in Azure Cloud 


Windows Installation Requirements 


* Click here for the list of supported operation system versions. 


Steps to Install the Windows Agent 
Download the agent installer 
File will be saved to your downloads area, as defined by your local system 


management tool. Click here to troubleshoot. 


Copy and paste this command for installation 


QualysCloudAgent.exe CustomerId- (*— 


ActivationId- (* 


Here's an example 


* To install the agent you must have local administrator privileges on your host 


Tum help tips: On| Of — X 


* Your host must be able to reach the Qualys Cloud Platform or the Qualys Private Cloud Platform over HTTPS port 
443 
* Do you have a proxy? Learn more 


Copy QualysCloudAgent.exe to the host you want to monitor and run command, or use group policy or a systems 


E C:\Windows\system32\cmd.exe 


xe CustonerId-4 


Id 


Close 


Lee) ESS) 
M ———————————Ó— 
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Run the installer on each 
host from an elevated 
command prompt, or use 
group policy or a systems 
management tool. 


Our installation guides will 
help you with additional 
options like setting up proxy 
support, and more. 


Installation Guides: 
Windows Agent 
Linux Agent 

Unix Agent 

Mac Agent 


Want to create more tags? 


Qualys Consulting Edition 
Deploy Cloud Agents 


As previously mentioned we've defined certain tags for you like tags that correspond to 
your asset groups. You can also create your own custom tags. To get started, choose the 
AssetView app from the app picker. Then go to the Tags section and click New Tag. 


AssetView {v 


Dashboard Assets Templates 


‘= AssetView Assets 


Search Results 
Search 
— Name 


Business Units 
Quick Filters 
Not In Use 


[E] in scope 
E] Favorite 


Color 


In the Tag Creation wizard, enter the settings for your tag. You'll give the tag a name and 
configure a tag rule. The rule is used to evaluate asset data returned by scans. When asset 
data matches a tag rule we'll automatically add the tag to the asset. 


Tag Creation 


Step 2 of 3 Set the tag type and rules 
1 Tag details wv Rule Engine 
No mic Rul 
o Tag Rule wv [ nen le] 
No Dynamic Rule 
3 Review And Confirm Agiek Mns Contes 
Groovy Scriptlet 
IP Address In Range(s) 
IP Address In Range(s) + Network(s) 
Open Ports 
Operating System Regular Expression 
Software installed 
Vuln(QID) Exist 
Asset Search 
Cancel 


Turn help tips 
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|Off Launchhelp X 
(") REQUIRED FIELDS 


Tip - Turn help tips on 
(in the wizard title 
bar) and we'll show 
you help as you hover 
over the settings. 
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Analyze, Query & Report 


In this section we'll cover how to query assets, build widgets and dashboards in AssetView 


and how to create reports in VM. 


How to Query Assets 


Vulnerability Management v 


AssetView lil 
DE Asset Management, Tagging, and Search 


Cloud Agent 
Pe 7 


Vulnerability Management Bis 
MAE iian and scan your network, prioritize your critical 


vulnerabilities and fix them. 


Threat Protection PRUSS 
TP Add threat intelligence feed to your existing 


ork security by deploying 


AssetVie 
Policy Compliance Bi 8 
[del Define and monitor iT security standards aligned with 
regulations. 


Select the AssetView app from the app picker. 


Go to the Assets tab. This is where you'll see an inventory of all your scanned assets. 


AssetView Y 


Dashboard Assets Templates 


‘= AssetView Assets [RECs 


Saved Searches ~ 


Search... 
v Group assets by 


Asset Name os 


10.10.24.12 ** CiscolOS Version 12.4(19) 


10.10.24.12 


= CiscolOS Version 12.4(19b) 


EA Help» Patrick Simmer w ^ Logout 


+ Assets 


Search 


Last Logged-In User Activity 


= Scanned 


57 minutes ago 


Scanned 


an hour ago 


Start typing in the search field and you'll see a list of asset properties (tokens) you can use 
to search. Hover over the token name to see syntax help to the right. 


AssetView Y 


Dashboard Assets Templates 


‘= AssetView Assets MESS 


Saved Searches * 


M Help w | Patrick Simmer w Logout 


start typing your search query here 


BiEnPorts. description 
BiBnPorts.detectedService 
BiEnPorts firstFound 
BiBnPorts lastUpdated 
BiEnPorts.port 
BiBnPorts. protocol 
BiEratingsystem 


Syntax Help 
operatingSystem 


Use quotes or backticks within values to help you find the operating system you're looking for. 


Examples 
Show any findings with this OS name 


operatingSystem: Windows 2012 


Show any findings that match exact value "Windows 2012" 
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View Asset Details anytime 


The latest vulnerability data is always available in your assets inventory. Just select the 
asset name and choose View Asset Details from the quick actions menu. 


AssetView Y 


Dashboard Assets Templates 


[= AssetView 


Saved Searches ~ 


operatingSystem: cisco 


Group assets by 


Asset Name os 


10.10.24.12 2 Cisco IOS Version 12.4(19) 
10.10.24.12 


10.10.24.10 z aes prsion 12.4(19b) 
10.10.24.10 


Save Query 


Easily save your searches for reuse and share them with others. 


AssetView {v M Help w Patrick Simmer w Logout 


Dashboard Assets Templates 


‘= AssetView Tags 
t 


1 
Saved Searches ~ Createlainew soarch x create wise Gave) < Assets 
5 
E 
D 
s 


| operatingSystem: cisco Saved Searches Q Search 


Saved Searches allow you to quickly navigate from one search filter to another. 
m| [Group assets by. PL 


Search Title* (") REQUIRED FIELDS 
fet one pe Somos Toa 


10.10.24.12 Add this search to your favorites Scanned 


10.10.24.12 


Share this search with others an hour ago 


10.10.24.10 Scanned 
10.10.24.10 an hour ago 
Cent. š 


Download and export results 


It just takes a minute to export search results. Select Download from the Tools menu. Next 
choose an export format and click Download. 


AssetView *Y Heip w | Patrick Simmer w Logout 


Datalist Download 
Dashboard Assets Templates 


Select Download Format (") REQUIRED FIELDS 
(= AssetView 


n click the Download bt 1e data is available, the 
lly 


Saved Searches + m Assets 


operatingSystem: cisco © E| Comma-Separated Value (CSV) e Search 
Extensible Markup Language (XML) 

w| |Group assets by 
| Portable Document Format (PDF) 


Asset Name © Ea Microsoft Word (DOC) Sources Tags 


10.10.24.12 es Si 5 zm Compressed HTML pages (ZIP) 


10.10.24.12 © Web Archive (HTML) - For Intemet Explorer > 7 or any modem browser 


eines 


10.10.24.10 * CiscolOS| Select the timezone to use for dates included in the report 
10.10.24 10 


(GMT -07:00) GMT-07:00 (GMT-07:00 Etc/GMT47) 


= 
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Create widget 


You can create a widget based on your query and addit to your dashboard. First search for 
assets and then choose Create widget. Add a title, you’ll see your query is populated for 
you, just one click to add to your dashboard. 


AssetView Y EA Heipw Patrick Simmer w | Logout 


Dashboard Assets Templates 


‘= AssetView Assets [Bers 


Saved Searches ~ create widget save 


operatingSystem: cisco e Search 


w Group assets by. [ECO ELOA LEO IT I ECHTE Tod 


Asset Name Customize the way that your widget looks 


10.10.24.12 


10.10.24.12 01 Name 


10.10.24.10 
10.10.24.10 Count 


10.10.24.10 


10.10.24.12 
Widget Title* 
Query 
operatingSystem: cisco 


@ List assets © Group assets 
Columns to display” 
name * ^ 
Click here to add to 


Sort by dashboard --., 


name 


Sort direction* B 
E 


Cancel Previous | (CCT EIZE 
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Create Reports 


There are several reporting options available. Different reports provide different views of 
client data. 


Consultant Reports 
Create reports specific to your clients’ needs. You can add a custom cover page to your 
report to include client and consultant contact information plus a summary. 


To get started, you'll need to create a consultant report template. Go to Reports > 
Templates > New > Consultant Template. See the help for help with template settings. 


© Qualys. Consulting Edition 


Vulnerability Management SA 


Dashboard Clients Scans Reports — Remedia 


mili Reports Reports Schedules Templates 


v | [New w || Search | | Fitters w |< Consultant Templates 


$ Title Scan Template. | 
PCI Scan Template... 
Patch Template... 
Map Template... 
Consultant Template... 


Import from Library... 


Download... 


Now go to Reports » Reports » New » Consultant Report. 


© Qualys. Consulting Edition 
Vulnerability Management Y 


Dashboard Clients Scans Reports Remediat 


m Reports Reports Schedules Templates 
v |New v | | Search | | Filters v 
Scan Report 


View Report T, P \ched Report Template 
| Scorecard Report... $ 


Map Report. 

Patch Report... 
Authentication Report 
Remediation Report... 
Compliance Report... 
Consultant Report.. 


Asset Search Report. 


Download. 
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Choose the report template you created, a report format, and the client. 


New Consultant Report Launch Help 


Use the following form to create a new report on scan data. 


Report Details 

Title Client A Report 

ReportTemplate:* | Client A Report *k Select 
Report Format: * Microsoft Document (DOCX) X 

Clients: * Patrick Slimmer (Client A) [z] *h Create 


Next Cancel 


L — 


Tip - By running the report 
in DOCX format you can 
edit the report to focus on 
the details most important 
to each of your clients. 


Click Next. You'll be prompted to choose client scan results to include in the report, then 


click Run. Your report will run in a new window. 


© Qualys. Consulting Edition 
n 


Client A Report September 11, 2018 


Client Information 
Name 


Patrick Slimmer 
C name 


Addr 
919 E Hillsdale Blvd 4th Floor 


City State Z 
Foster City California 94404 


Country 
United States of America 
Phonenumber 
6508016100 

Email 
pslimmer@qualys.com 


Consultant Information 


lame 
Joe Consultant 
Company name 


Consulting ABC 


123 Main Street 
City State 


Zip 
Any City California 12345 


Country 
United States of America 
Phonenumbe 


er 
1234567890 


Email 
| joe@consultingabc.com 
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Template Based Scan Reports 
Go to Reports > New > Scan Report > Template Based... 


Vulnerability Management Y 


Dashboard Clients Scans Reports Remedial 


till Reports Reports Schedules Templates 


[New > | {Search { Fiters v] 
Fl View. Report ‘Scan Report > ‘Template Based... 
Scorecard Report. PCI Scan Template. 
Map Report. T 
Patch Report. 
Authentication Report 
Remediation Report. 
Compliance Report. 
Consultant Report.. 
Asset Search Report. 


Download. 


Choose a report template and pick a report format. If you configured client networks then 
choose the network you want to report on and your report target. Then click Run. 


New Scan Report Launch Help 


Use the following form to create a new report on scan data. | | 


Report Details 
Title: Client A network 


| Report Template:* | Executive Report *k Select 


Report Format * Portable Document Format (PDF) X 


m 


Report Source* 


Select atleast one asset group or IP to draw data from. 


Asset Groups Client A Group x Q ~| *h Select 
IPsiRanges Client A Network [z] *k Select 
Same 192.168.0.87-192.168.0.92, 192.168.0.200 
| 
Asset Tags Include hosts thathave Any v. of the tags below. Add Tag 


There are many report templates to choose from. For example: 


The Executive Report provides a global view of your network security. This report is ideal 
for CIO or executive level managers. This report does not include detailed scan results or 
details like vulnerability descriptions and verified fixes. 


The Technical Report provides detailed scan results including the most current 
vulnerability information for each host. This report does not show vulnerability trends 
over time. 


You can use a template provided by Qualys or create your own custom templates. 
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Review Certificates and SSL Grade 


Did you know there's a lot of information you can see in Qualys VM without running 
reports? Under Assets, go to the Certificates, Applications and Ports/Services tabs for easy 
to search inventories based on your vulnerability scan data. 


Let's take a closer look at certificates. Go to VM > Assets > Certificates. You'll see a list of 
certificates installed on hosts. Newly discovered certificates are added automatically to 
the inventory as new scan results become available in your account. 


Certificates at Risk 30% impacted Hosts 3% 
a = 


SSL Labs Grade for 
each certificate 


p- 
Ly, 
i 
i 
| 


Tevger getan [rd bv hapa twa bread Alter (Metore Mey ue Port ( 


A MHCCRCSCHUBKADODARMCTACADAKIA ferte nerven i Mo sene (twr,  ÜMcember 20.2090 6 n 


( soccocee 


| c 


F 
L] 
tH: 


ry 


Feet ( Quars 


When the SSL Labs Grade feature is enabled for your subscription, you'll see a grade (A+, 
A, A-, B, C, D, E, F, T, M, NA) for each certificate on your certificates list. Grades are updated 
automatically each time new vulnerability scan results are processed for your hosts. 


How do | get this feature? 


Please contact your Technical Account Manager or Support to have the SSL Labs Grade 
feature enabled for your subscription. 


Not seeing a grade? 


Make sure the Grade column is shown by selecting it from the Tools menu above the list. If 
this feature was recently enabled, be sure to run new vulnerability scans on your hosts in 
order for grades to be calculated. 


How are grades calculated? 


We first look at the certificate to verify that it is valid and trusted. Then we inspect SSL 
configuration in three categories: 1) Protocol Support, 2) Key Exchange and 3) Cipher 
Strength. Each category is given a score and we combine these scores for an overall score 
of 0-100. (A zero in any category results in an overall score of zero.) The overall numerical 
score is translated into a letter grade (A-F) using a look-up table. Your A grade will be 
upgraded to A+ for exceptional configurations, and downgraded to A- when there are one 
or more warnings. Other grades you might see: T (certificate is not trusted), M (certificate 
name mismatch), and NA (not applicable, SSL server information not retrieved). 


Want to learn more? Check out the SSL Server Rating Guide here: 
https://www.ssllabs.com/projects/rating-guide/index.html 
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PCI Compliance 


PCI Scan Requirements 


Qualys is certified to help merchants and their consultants achieve compliance with the 
PCI Data Security Standard (DSS) including these scan requirements: 


Per PCI DSS v3.0 requirement 11.2.2, the PCI Council requires merchants to perform 
quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved 
by the PCI Security Standards Council (PCI SSC). Qualys is a certified ASV. Every part of 
cardholder data system components needs to be scanned. 

What systems should I scan? 


Hosts that store cardholder data must be scanned. Also every part of cardholder data 
system components must be scanned. We recommend you refer to the PCI Data Security 
Standard (DSS) for details. Check to see these hosts are in your account by going to Assets 
> Host Assets. 


Do I need to whitelist the scanners? 


Our scanners must be able to reach the hosts being scanned. You may need to whitelist 
our scanners to allow access. Go to Help > About to see the IP addresses for our external 
scanners. You'll also see URLs that your scanner appliance must be able to contact. 


Avoid scanning through a firewall from the inside out 


Problems can arise when scan traffic is routed through the firewall from the inside out, Le. 
when the scanner appliance is sitting in the protected network area and scans a target 
which is located on the other side of the firewall. See Scanning and Firewalls. 


PCI Readiness Reports 


Prepare customers of all sizes for ASV certifications and QSA audits by running PCI 
readiness reports. 


Commonly integrates with: 

- PCI Readiness Assessments 

- PCI Compliance Road Mapping 

- Payment Infrastructure Assessments 


- Payment Infrastructure Strategy 
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What are the steps? 


Step 1: Run a Scan 


Under VM, go to Scans > New > Scan. Tell us the IPs you want to scan, and select a PCI 
option profile like “Payment Card Industry (PCI) Options”. This profile has scan settings 
required according to the PCI DSS standard. 


Launch Vulnerability Scan Tum help tips: On | Off Launch Help 


General Information 


Give your scan a name, select a scan profile (a default is selected for you with recommended settings), and choose a 
scanner from the Scanner Appliance menu for internal scans, if visible 


| Title PCI Scan 


Client: * Patrick Slimmer (Client A) || *k Create 


Option Profile: * Payment Card Industry (PCI) Options (System) *h Select 


Processing Priority: 0 - No Priority Iz 


m. 


Network: Global Default Network [z] 


Scanner Appliance: External Mi 


: 2 Target Hosts Tem, 


ho T sau, foam m e TEA) 


Step 2: Fix Vulnerabilities and Re-Scan 


Run the PCI Technical Report to see whether your scan is compliant. Go to Reports » 
Templates, find the "Payment Card Industry (PCI) Technical Report" and select Run from 
the Quick Actions menu. 


Vulnerability Management Y 


Dashboard Clients Scans Reports Remediation Assets KnowledgeBase) 


mili Reports Reports Schedules Templates Risk Analysis Search Lists 
| New w | | Search | | Filters w 
EO $) Title ^ Type Vulnerability Data 
($) 2008 SANS Top 20 Report {A HostBased 
© Executive Remediation Report + Host Based 


O & Executive Report @ Host Based 


E © High Severity Report @ HostBased 
($) Payment Card Industry (PCI) Executive Report MÀ Scan Based 

ema 
E © Qualys Patch Report 


© Qualys Top 20 Report | Run | 


a ® Technical Report @ Host Based 


In your report you'll see the PCI compliance status (PASS or FAIL) for the overall report, for 
each host and each vulnerability detected. Vulnerabilities with the FAIL status must be 
fixed to pass the PCI compliance requirements. (Vulnerabilities with no PCI status are not 
required for compliance, however we do recommend you fix them in severity order.) See 
the online help to better understand the Qualys KnowledgeBase and severity levels. 


After fixing vulnerabilities, be sure to re-scan to verify that all PCI vulnerabilities are fixed 
and the overall status is PASS. 
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Wait, there’s more! 


Policy Compliance 


Use Qualys Policy Compliance (PC) to reduce the risk of internal and external threats 
while providing proof of compliance demanded by auditors and government regulations. 


Qualys Policy Compliance Getting Started Guide 


Web Application Scanning 


Qualys Web Application Scanning (WAS) is the most powerful web application scanner 
available. Set up your web application and run discovery and vulnerability scans. 


Qualys Web Application Scanning Getting Started Guide 


Self Assessment Questionnaire 


Qualys Self Assessment Questionnaire (SAQ) is our automated questionnaire service. SAQ 
helps you automate your risk and compliance through campaigns. Collect risk data and 
compliance evidence from all the right people, then analyze and report on compliance 
and vendor risk. 


Qualys API 


You'll get the Qualys API with your Consultant subscription. Run up to 25 API calls per day 
(additional packages available). 


Check out these API user guides 
Qualys API (VM, SCA, PC) User Guide 
Qualys API (VM, SCA, PC) XML/DTD Reference 
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